Re: Web session tracking security prob. Vulnerable: IIS and ColdFusion (maybe others)
From: Lincoln Yeoh (lyeoh@pop.jaring.my)Date: 08/30/01
- Previous message: Syzop: "Re: Windows NT does not check permissions after HANDLEs are open"
- In reply to: Jeff Jancula: "Web session tracking security prob. Vulnerable: IIS and ColdFusion (maybe others)"
- Next in thread: Jeff Jancula: "Re: Web session tracking security prob. Vulnerable: IIS and ColdFusion (maybe others)"
- Next in thread: nagilum@chillout.org: "Re: Web session tracking security prob. Vulnerable: IIS and ColdFusion (maybe others)"
- Reply: Jeff Jancula: "Re: Web session tracking security prob. Vulnerable: IIS and ColdFusion (maybe others)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Message-Id: <3.0.5.32.20010830133508.0087b270@192.228.128.13> Date: Thu, 30 Aug 2001 13:35:08 +0800 To: "Jeff Jancula" <Jeff@Jancula.com>, <vuln-dev@securityfocus.com> From: Lincoln Yeoh <lyeoh@pop.jaring.my> Subject: Re: Web session tracking security prob. Vulnerable: IIS and ColdFusion (maybe others)
At 02:25 PM 29-08-2001 -0400, Jeff Jancula wrote:
>BACKGROUND:
>
>When a Internet browser user visits IIS or ColdFusion hosted web sites,
the web server issues browser commands similar to:
>
>(for IIS) Set-Cookie: ASPSESSIONID=BBBBBBBBABCDEFGHIJKLMNOP
>(for CF) Set-Cookie: CFID=123
>(for CF) Set-Cookie: CFTOKEN=4567890
>
>The browser stores and returns the "ASPSESSIONID" or "CFID/CFTOKEN" values
with each subsequent request to the web server. IIS and ColdFusion use
these values to identify and track each user.
>
What does CFID=123 mean to cold fusion? Is that the user/session ID?
Does that mean an attacker can just send CFID=123 and CFTOKEN=ANYTHING and
Cold Fusion will think it's the same user/session?
If it does then it's a very big problem. If it doesn't, then it may not be
a problem unless your application assumes that just having a session means
it's a valid user.
Cheerio,
Link.
- Previous message: Syzop: "Re: Windows NT does not check permissions after HANDLEs are open"
- In reply to: Jeff Jancula: "Web session tracking security prob. Vulnerable: IIS and ColdFusion (maybe others)"
- Next in thread: Jeff Jancula: "Re: Web session tracking security prob. Vulnerable: IIS and ColdFusion (maybe others)"
- Next in thread: nagilum@chillout.org: "Re: Web session tracking security prob. Vulnerable: IIS and ColdFusion (maybe others)"
- Reply: Jeff Jancula: "Re: Web session tracking security prob. Vulnerable: IIS and ColdFusion (maybe others)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
